067.md

chaduke

medium

DOS attack to deployAndDeposit()

Summary

deployAndDeposit() is subject to a DOS attack because the function iterates through each collateral in a for loop. As a result, if a malicious user can increase the list of collateral for a _bidId, then deployAndDeposit() will revert due to out of gas, a DOS attack.

Vulnerability Detail

We show how a malicious user Bob can launch an attack to deployAndDeposit() below:

1. Bob can call commitCollateral() to add a list of new collaterals (ERC20 tokens) to _bidId. Suppose the borrower of _bidId is Alice.

https://github.com/sherlock-audit/2023-03-teller/blob/main/teller-protocol-v2/packages/contracts/contracts/CollateralManager.sol#L117-L130

2. In order to bypass the check at L122 for function checkBalances(). For each new collateral _col, Bob will send 1 wei of _col token to Alice so that the following check will pass. Here we suppose _collateralInfo._amount = 1.

 if (collateralType == CollateralType.ERC20) {
            return
                _collateralInfo._amount <=
                IERC20Upgradeable(_collateralInfo._collateralAddress).balanceOf(
                    _borrowerAddress
                );

3. Because the list of new collaterals for _bidId becomes too long, the call of deployAndDeposit() will revert due to out of gas, a DOS attack.

Impact

A malicious user can effectively add new collaterals for a _bidId and cause deployAndDeposit() to revert due to out of gas.

Code Snippet

see above

Tool used

VSCode

Manual Review

Recommendation

Restrict the length of the list of collaterals for each _bidId so that out-of-gas can be avoided.